Does Serverless support an easy way to add an IAM permission boundary to the lambda execution roles? I’d love to be able to specify it in the provider similar to iamRoleStatements
or on a per function level. Currently I’m having to create my execution role manually in the Resources and link it to each function do to the fact that I’m required to provide a permission boundary on my roles.
1 Like
Like you, I would like to be able to add my PermissionBoundary
property directly in my iamRoleStatements
but, as a temporary workaround, I have simply extended my IAM Role in the Resources section.
resources:
Resources:
MyFunctionIamRoleLambdaExecution:
Properties:
PermissionsBoundary: !Sub "arn:aws:iam::#{AWS::AccountId}:policy/my_policy_name"
MyFunctionIamRoleLambdaExecution
is automatically created by Serverless Framework for my function MyFunction
.
I would also like this feature. I think adding another element to the iamRoleStatements would be easiest. Writing a plugin to do this is also possible rather than adding an extension for every function in the Resources section. Thanks for the example.
The complete example would be this
service:
name: one5
provider:
name: aws
runtime: python3.8
region: us-west-2
functions:
importFPGroupDataToGA3:
handler: handler.hello1
role:
Fn::GetAtt:
- myDefaultRole
- Arn
resources:
Resources:
myDefaultRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: myrole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: 'sts:AssumeRole'
extensions:
myDefaultRole:
Properties:
PermissionsBoundary: 'arn:aws:iam::xxxxxxxxxxxx:policy/PermissionBoundary'